Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

2017-08-12 Thread Omindu Rathnaweera
I had a quick chat with the Johann as well. So for the sake of backward
compatibility we will not change this in the product and run the tests by
altering the registry entry.

@Fara: Am I correct to assume that oidc-scope-config.xml gets only affected
during the first startup ? In any case we need to document about both
configs if we haven't already.

On Sat, Aug 12, 2017 at 10:10 AM, Ashen Weerathunga  wrote:

>
>
> On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed 
> wrote:
>
>>
>>
>> On Friday, August 11, 2017, Omindu Rathnaweera  wrote:
>>
>>>
>>>
>>> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana 
>>> wrote:
>>>
 Hi,

 Currently I am working on making WSO2 IS OpenID Connect certified. I
 ran a test on requesting essential claims from OP, when the scope is
 openid. It gave an error saying unexpected claims returned.

>>>
>>> This is not an error, but a warning correct ?
>>>
>>>
 Then I inquired about this issue through the mailing list of OIDC
 specifications [1]. I got some information from that as openid scope
 should only return subject and issuer.

 IS 5.4.0 is supporting many claims for scope openid. They are :
   sub,email,email_verified,name,
 family_name,given_name,middle_name,nickname,
   preferred_username,profile,pic
 ture,website,gender,birthdate,zoneinfo,locale,
   phone_number,phone_number_veri
 fied,address,street,updated_at

 I couldn't find In the OIDC specification where it mention that, openid
 scope should only return subject and issuer.

>>>
>>> AFAIK, the spec has not specifically mentioned about what we should
>>> return for the openid scope and it only mentions about the what should be
>>> returned for the default 4 scopes. However it is understandable that the
>>> test client expects a minimum set of claims when having only the openid
>>> scope. If an RP needs additional claims, it should request them with
>>> specifying additional scopes and/or essential claims. So I think the
>>> correct behavior would be to return only a minimal set of claims for the
>>> openid scope.
>>>
>>
>> Since the spec hasn't specifed this minimal set of claims one can argue
>> that it is something specific to an RP. This is how our current
>> implementation works as well. Although we could define a set of claim bound
>> to the 'openid' scope, the service provider could control what it needs
>> from the claims bound to openid scope by using requested claims
>> configuration.
>>
>> Changing 'openid' scope to return issuer and sub claims only will be a
>> breaking change for many existing providers who rely on the additional
>> claims (some of them could be mandatory in PoV of the RP)
>>
>> IMO, if the spec doesn't mandate what should be returned for openid scope
>> then we can keep our existing implementation as it is.
>>
>
> +1 to keep existing claims if it's not a spec violation. Seems like we
> have defined all the standerd claims mentioned in the spec [1] under our
> openid scope implemenation. So if someone need to remove some of claims
> they can remove it from the oidc configurations in the registry.
>
> [1] http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
>
>
>>
>>>
 Can you please help me on this issue?

 Thank you.


 [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s
 ubject.html

 --

 *Hasini Witharana*
 Software Engineering Intern | WSO2


 *Email : hasi...@wso2.com*

 *Mobile : +94713850143 <+94%2071%20385%200143>[image:
 http://wso2.com/signature] *

>>>
>>>
>>> Regards,
>>> Omindu.
>>>
>>> --
>>> Omindu Rathnaweera
>>> Senior Software Engineer, WSO2 Inc.
>>> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>>>
>>
>>
>> --
>> Farasath Ahamed
>> Software Engineer, WSO2 Inc.; http://wso2.com
>> Mobile: +94777603866
>> Blog: blog.farazath.com
>> Twitter: @farazath619 
>> 
>>
>>
>>
>>
>> ___
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> *Ashen Weerathunga*
> Software Engineer
> WSO2 Inc.: http://wso2.com
> lean.enterprise.middleware
>
> Email: as...@wso2.com
> Mobile: +94716042995 <94716042995>
> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
> *
> 
>

Thanks,
Omindu

-- 
Omindu Rathnaweera
Senior Software Engineer, WSO2 Inc.
Mobile: +94 771 197 211 <+94%2077%20119%207211>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

2017-08-11 Thread Ashen Weerathunga
On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed 
wrote:

>
>
> On Friday, August 11, 2017, Omindu Rathnaweera  wrote:
>
>>
>>
>> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana 
>> wrote:
>>
>>> Hi,
>>>
>>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran
>>> a test on requesting essential claims from OP, when the scope is openid. It
>>> gave an error saying unexpected claims returned.
>>>
>>
>> This is not an error, but a warning correct ?
>>
>>
>>> Then I inquired about this issue through the mailing list of OIDC
>>> specifications [1]. I got some information from that as openid scope
>>> should only return subject and issuer.
>>>
>>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>>   sub,email,email_verified,name,
>>> family_name,given_name,middle_name,nickname,
>>>   preferred_username,profile,pic
>>> ture,website,gender,birthdate,zoneinfo,locale,
>>>   phone_number,phone_number_veri
>>> fied,address,street,updated_at
>>>
>>> I couldn't find In the OIDC specification where it mention that, openid
>>> scope should only return subject and issuer.
>>>
>>
>> AFAIK, the spec has not specifically mentioned about what we should
>> return for the openid scope and it only mentions about the what should be
>> returned for the default 4 scopes. However it is understandable that the
>> test client expects a minimum set of claims when having only the openid
>> scope. If an RP needs additional claims, it should request them with
>> specifying additional scopes and/or essential claims. So I think the
>> correct behavior would be to return only a minimal set of claims for the
>> openid scope.
>>
>
> Since the spec hasn't specifed this minimal set of claims one can argue
> that it is something specific to an RP. This is how our current
> implementation works as well. Although we could define a set of claim bound
> to the 'openid' scope, the service provider could control what it needs
> from the claims bound to openid scope by using requested claims
> configuration.
>
> Changing 'openid' scope to return issuer and sub claims only will be a
> breaking change for many existing providers who rely on the additional
> claims (some of them could be mandatory in PoV of the RP)
>
> IMO, if the spec doesn't mandate what should be returned for openid scope
> then we can keep our existing implementation as it is.
>

+1 to keep existing claims if it's not a spec violation. Seems like we have
defined all the standerd claims mentioned in the spec [1] under our openid
scope implemenation. So if someone need to remove some of claims they can
remove it from the oidc configurations in the registry.

[1] http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims


>
>>
>>> Can you please help me on this issue?
>>>
>>> Thank you.
>>>
>>>
>>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s
>>> ubject.html
>>>
>>> --
>>>
>>> *Hasini Witharana*
>>> Software Engineering Intern | WSO2
>>>
>>>
>>> *Email : hasi...@wso2.com*
>>>
>>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>>> http://wso2.com/signature] *
>>>
>>
>>
>> Regards,
>> Omindu.
>>
>> --
>> Omindu Rathnaweera
>> Senior Software Engineer, WSO2 Inc.
>> Mobile: +94 771 197 211 <+94%2077%20119%207211>
>>
>
>
> --
> Farasath Ahamed
> Software Engineer, WSO2 Inc.; http://wso2.com
> Mobile: +94777603866
> Blog: blog.farazath.com
> Twitter: @farazath619 
> 
>
>
>
>
> ___
> Dev mailing list
> Dev@wso2.org
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>


-- 
*Ashen Weerathunga*
Software Engineer
WSO2 Inc.: http://wso2.com
lean.enterprise.middleware

Email: as...@wso2.com
Mobile: +94716042995 <94716042995>
LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga
*

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

2017-08-10 Thread Farasath Ahamed
On Friday, August 11, 2017, Omindu Rathnaweera  wrote:

>
>
> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana  > wrote:
>
>> Hi,
>>
>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran
>> a test on requesting essential claims from OP, when the scope is openid. It
>> gave an error saying unexpected claims returned.
>>
>
> This is not an error, but a warning correct ?
>
>
>> Then I inquired about this issue through the mailing list of OIDC
>> specifications [1]. I got some information from that as openid scope
>> should only return subject and issuer.
>>
>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>   sub,email,email_verified,name,
>> family_name,given_name,middle_name,nickname,
>>   preferred_username,profile,pic
>> ture,website,gender,birthdate,zoneinfo,locale,
>>   phone_number,phone_number_veri
>> fied,address,street,updated_at
>>
>> I couldn't find In the OIDC specification where it mention that, openid
>> scope should only return subject and issuer.
>>
>
> AFAIK, the spec has not specifically mentioned about what we should return
> for the openid scope and it only mentions about the what should be returned
> for the default 4 scopes. However it is understandable that the test client
> expects a minimum set of claims when having only the openid scope. If an RP
> needs additional claims, it should request them with specifying additional
> scopes and/or essential claims. So I think the correct behavior would be to
> return only a minimal set of claims for the openid scope.
>

Since the spec hasn't specifed this minimal set of claims one can argue
that it is something specific to an RP. This is how our current
implementation works as well. Although we could define a set of claim bound
to the 'openid' scope, the service provider could control what it needs
from the claims bound to openid scope by using requested claims
configuration.

Changing 'openid' scope to return issuer and sub claims only will be a
breaking change for many existing providers who rely on the additional
claims (some of them could be mandatory in PoV of the RP)

IMO, if the spec doesn't mandate what should be returned for openid scope
then we can keep our existing implementation as it is.


>
>> Can you please help me on this issue?
>>
>> Thank you.
>>
>>
>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/
>> subject.html
>>
>> --
>>
>> *Hasini Witharana*
>> Software Engineering Intern | WSO2
>>
>>
>> *Email : hasi...@wso2.com
>> *
>>
>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>> http://wso2.com/signature] *
>>
>
>
> Regards,
> Omindu.
>
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211
>


-- 
Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 

___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


Re: [Dev] Regarding the OIDC openid scope in WSO2 IS

2017-08-10 Thread Omindu Rathnaweera
On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana  wrote:

> Hi,
>
> Currently I am working on making WSO2 IS OpenID Connect certified. I ran a
> test on requesting essential claims from OP, when the scope is openid. It
> gave an error saying unexpected claims returned.
>

This is not an error, but a warning correct ?


> Then I inquired about this issue through the mailing list of OIDC
> specifications [1]. I got some information from that as openid scope
> should only return subject and issuer.
>
> IS 5.4.0 is supporting many claims for scope openid. They are :
>   sub,email,email_verified,name,family_name,given_name,middle_
> name,nickname,
>   
> preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,
>
>   phone_number,phone_number_verified,address,street,updated_at
>
> I couldn't find In the OIDC specification where it mention that, openid
> scope should only return subject and issuer.
>

AFAIK, the spec has not specifically mentioned about what we should return
for the openid scope and it only mentions about the what should be returned
for the default 4 scopes. However it is understandable that the test client
expects a minimum set of claims when having only the openid scope. If an RP
needs additional claims, it should request them with specifying additional
scopes and/or essential claims. So I think the correct behavior would be to
return only a minimal set of claims for the openid scope.


> Can you please help me on this issue?
>
> Thank you.
>
>
> [1] - http://lists.openid.net/pipermail/openid-specs/2017-
> August/subject.html
>
> --
>
> *Hasini Witharana*
> Software Engineering Intern | WSO2
>
>
> *Email : hasi...@wso2.com *
>
> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
> http://wso2.com/signature] *
>


Regards,
Omindu.

-- 
Omindu Rathnaweera
Senior Software Engineer, WSO2 Inc.
Mobile: +94 771 197 211
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev


[Dev] Regarding the OIDC openid scope in WSO2 IS

2017-08-10 Thread Hasini Witharana
Hi,

Currently I am working on making WSO2 IS OpenID Connect certified. I ran a
test on requesting essential claims from OP, when the scope is openid. It
gave an error saying unexpected claims returned.

Then I inquired about this issue through the mailing list of OIDC
specifications [1]. I got some information from that as openid scope should
only return subject and issuer.

IS 5.4.0 is supporting many claims for scope openid. They are :
  sub,email,email_verified,name,family_name,given_name,middle_
name,nickname,
  
preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale,

  phone_number,phone_number_verified,address,street,updated_at

I couldn't find In the OIDC specification where it mention that, openid
scope should only return subject and issuer.

Can you please help me on this issue?

Thank you.


[1] -
http://lists.openid.net/pipermail/openid-specs/2017-August/subject.html

-- 

*Hasini Witharana*
Software Engineering Intern | WSO2


*Email : hasi...@wso2.com *

*Mobile : +94713850143[image: http://wso2.com/signature]
*
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev